Perf has been added into Linux kernel since 2.6.3x to provide a framework for all things performance analysis. It covers hardware level (CPU/PMU, Performance Monitoring Unit) features and software features (software counters, trace points) as well. Among the supported perf measurable event list, there is a small set of common hardware events monikers which get mapped onto an actual events provided by the CPU, if they exists, otherwise the event cannot be used. So there is no surprise CPU vendors may customize related codes in kernel source.
In this talk, we will dive deeply into a major CPU vendor’s perf implement in its Android kernels which are widely deployed in hundreds of millions of popular Android devices. We will describe details of a series of new discovered critical vulnerabilities. We will choose one of these critical vulnerabilities to explain our exploit methodology and show how we can bypass all existing Android protection mechanisms and finally gain root on the device.
Finally, we will present a live demonstration on rooting a Nexus 6 equipped with the latest Android release by using a zero permission required application.